Bug 2228689 (CVE-2023-3978) - CVE-2023-3978 golang.org/x/net/html: Cross site scripting
Summary: CVE-2023-3978 golang.org/x/net/html: Cross site scripting
Keywords:
Status: NEW
Alias: CVE-2023-3978
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2228806 2228807 2228808 2228810 2228811 2228812 2228813 2228814 2228815 2228824 2228825 2229577 2229578 2229579 2229580 2229581 2229583 2229584 2229585 2229586 2229587 2229588 2229589 2229590 2229591 2229592 2229593 2229594 2229595 2229596 2229597 2229598 2229600 2229601 2229602 2229603 2229604 2229605 2229607 2229608 2229610 2229611 2229582 2229599
Blocks: 2228694
TreeView+ depends on / blocked
 
Reported: 2023-08-03 05:50 UTC by Avinash Hanwate
Modified: 2023-08-07 12:58 UTC (History)
83 users (show)

Fixed In Version: golang.org/x/net/html 0.13.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. The flaw allows an attacker to steal the victim's cookie-based authentication credentials.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Avinash Hanwate 2023-08-03 05:50:06 UTC
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

https://go.dev/issue/61615
https://go.dev/cl/514896
https://pkg.go.dev/vuln/GO-2023-1988

Comment 6 Avinash Hanwate 2023-08-07 05:38:23 UTC
Created caddy tracking bugs for this issue:

Affects: fedora-all [bug 2229582]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229583]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2229577]


Created cri-o:1.21/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229584]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229585]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229586]


Created cri-o:1.25/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229587]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229588]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229589]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229590]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229591]


Created cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229592]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2229593]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-all [bug 2229594]


Created golang-github-onsi-ginkgo-2 tracking bugs for this issue:

Affects: fedora-all [bug 2229595]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2229596]


Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-all [bug 2229578]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2229597]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2229598]


Created golang-x-net tracking bugs for this issue:

Affects: epel-all [bug 2229579]
Affects: fedora-all [bug 2229599]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229600]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2229601]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2229580]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2229602]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2229603]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2229604]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2229605]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2229581]


Created shellz tracking bugs for this issue:

Affects: fedora-all [bug 2229607]


Created xq tracking bugs for this issue:

Affects: fedora-all [bug 2229608]

Comment 7 Avinash Hanwate 2023-08-07 05:45:38 UTC
Created rclone tracking bugs for this issue:

Affects: fedora-all [bug 2229610]


Note You need to log in before you can comment on or make changes to this bug.